Cerber ransomware removal instructions

What is Cerber?

Cerber (also called CRBR Encryptor) is a ransomware-type malware that infiltrates systems, encrypting various file types including .jpg, .doc, .raw, .avi, etc. Cerber adds a .cerber (some variants add .cerber2 or .cerber3) extension to each encrypted file. Notice that some variants of this ransomware add random file extensions - for example: “.ba99”, ”.98a0", ".a37b", ".a563" etc. There are also variants of this ransomware that add .beef extension to encrypted files. Following successful infiltration, Cerber demands a ransom payment to decrypt these files. It is stated that payment of the ransom must fall within the given time frame (seven days), otherwise the ransom amount will double. Some variants of this ransomware disclose their versions - for example: Cerber Ransomware 4.1.5", "Cerber Ransomware 4.1.6", "Cerber Ransomware 5.0.0" ( the latest variant demands a ransom of $499) etc.

During encryption, Cerber creates three different files (#DECRYPT MY FILES#.txt, #DECRYPT MY FILES#.html, and #DECRYPT MY FILES#.vbs) containing step-by-step payment instructions (never variants use "_READ_THI$_FILE_.hta", "_HELP_HELP_HELP_random.hta", "_READ_THIS_FILE.hta", “_HELP_HELP_HELP_random.jpg", _R_E_A_D___T_H_I_S___random_.txt, _R_E_A_D___T_H_I_S___random_.hta and “_!!!_README_!!!_random_.hta”, “_!!!_README_!!!_random_.txt” files) in each folder containing the encrypted files. The message within these files states that users can only decrypt their files using a decryptor developed by cyber criminals (called 'Cerber Decryptor'). The #DECRYPT MY FILES#.vbs file contains a VBScript, which when executed, plays the message, “Your documents, databases and other important files have been encrypted!” through the computer speakers. To download the decryptor, a ransom payment of 1.24 BitCoin (at time of research, equivalent to $546.72) is required. If the ransom is not paid within seven days, it doubles to 2.48 BTC. It is also stated that users can only pay using the Tor browser and by following instructions within the indicated website. Unfortunately, at time of research, there were no tools capable of decrypting files affected by Cerber. Therefore, the only solution to this problem is to restore your system from a backup.

After encrypting files, Cerber ransomware changes desktop wallpaper:

Update 1 December, 2016 - Cerber ransomware was updated by cyber criminals. The most noticeable changes include the use of red colour for the desktop wallpaper. The ransom demanding message is now presented in _README_[RANDOM]_.hta file. Cyber criminals no longer provide the version number of this ransomware. The ransom amount at the time of writing this article was $499 payable in Bitcoins.

Update June 15, 2017 - Cyber criminals have updated their ransom demanding message presented in a .txt file (_R_E_A_D___T_H_I_S___random_.txt). Here’s a screenshot of this updated file:

Text presented in _R_E_A_D___T_H_I_S___random_.txt file:

Hi, I'am CERBER RANSOMWARE ;) ----- Y0UR D0CUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/ Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12nwsv.top/ ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

Victims of Cerber ransomware can use a decrypter called “Trend Micro Ransomware File Decryptor tool” to decrypt their files for free. Download is HERE. (Unfortunately this tool is no longer available) You can view a video tutorial of how to use this tool HERE. Here’s a screenshot of this tool:

Update 17 August 2016 - Check Point Software Technologies Ltd. company has released a decrypter for Cerber ransomware. At the time of testing it was able to decrypt files with .cerber and .cerber2 extensions. To decrypt their files victims should visit THIS website and follow the simple 7 steps to decrypt their files for free. Unfortunately cyber criminals have updated their ransomware and this tool no longer works. Here’s a screenshot of Cerber Ransomware Dceryption Tool website:

Text presented on the wallpaper of Cerber ransomware:

You documents, photos, databases and other important files have been encrypted!If you understand all importance of the situation then we propose to you to go directly to your personal page where you will receive the complete instructions and guarantees to restore your files. There is a list of temporary addresses to go on your personal page.

Your documents, photos, databases and other important files have been encrypted! To decrypt your files you need to buy the special software – «Cerber Decryptor». All transactions should be performed via Bitcoin network only. Within 5 days you can purchase this product at a special price: 0.750 (≈ $518). After 5 days the price of this product will increase up to: 1.500 (≈ $1036).

As with other crypto ransomware, Cerber shares many similarities with many other malware infections such as Locky, CryptoWall, CTB-Locker, Crypt0L0cker, and TeslaCrypt. All have identical behavior - they encrypt files and encourage users to pay a ransom to decrypt them. The only difference between these viruses is the algorithm used to encrypt the files and size of ransom. Be aware that there is no guarantee that your files will ever be decrypted even after paying the ransom. Paying is equivalent to sending your money for cyber criminals - you merely support their malicious businesses. Therefore, never pay the ransom and do not attempt to contact these people. Malware such as Cerber is mostly proliferated via malicious e-mail attachments, peer-to-peer (P2P) networks (for example, Torrent), fake software updates, and trojans. Be cautious when opening attachments from unrecognized emails and ensure that your chosen files are downloaded from trusted sources. Furthermore, keep all installed software up-to-date and use a legitimate anti-virus or anti-spyware suite.

Reimage is a tool to detect malware on your computer. You will need to purchase full version to remove infections.

Screenshot of README.hta file (updated variant of Cerber ransomware now uses this file to open it's ransom demanding website):

Cerber website FAQ:

Question: How can i decrypt my files after payment?Answer: After payment, you can download the «Cerber Decryptor» from your personal page. We guarantee that all your files will be decrypted!Question: My files was infected more then month ago, can i still decrypt it with your software?Answer: Yes, you can still decrypt your files after the payment!

Cerber website Support:

In case of any problems with payment or having any other questions, please contact us via the contact form.

Cerber website “Decrypt 1 files for Free”:

We give you the opportunity to decipher 1 file free of charge! You can make sure that the service really works and after payment for the «Cerber Decryptor» program you can actually decrypt the files!

Cerber ransomware is delivered by a rogue document attached to spam emails. Once users open the document, they are encouraged to enable malicious macros - the ransomware then starts to encrypt victims' data:

Screenshot of a folder that was compromised by Cerber ransomware (all files are renamed and have a .cerber extension):

A variant of Cerber ransomware that appends ".beef" extension to encrypted files:

After infiltrating the victim's computer, Cerber ransomware targets files with these extensions:

How to get ? 1. Create a Bitcoin Wallet (we recommend Blockchain.info) 2. Buy necessary amount of Bitcoins Do not forget about the transaction commission in the Bitcoin network (0.0005 BTC). 3. Send 1.24 Bitcoins to the following Bitcoin address: - 4. Control the amount transaction at he panel below. 5. Get a link and download the software.

Text presented in #DECRYPT MY FILES#.txt file:

CERBER

Cannot your find the files you need? Is the content of the files that you looked for not readable? It is normal because the files’ names, as well as the data in your files have been encrypted. Great!!! You have turned to be a part of a big community #CerberRansomware.

What is encryption? Encryption is a reversible modification of information for security reasons but providing full access to it for authorised users. To become an authorised user and keep the modification absolutely reversible (in other words to have a possibility to decrypt your files) you should have an individual private key. But not only it. It is required also to have the special decryption software (in your case “Cerber Decryptor” software) for safe and complete decryption of all your files and data.

Everything is clear for me but what should I do? The first step is reading these instructions to the end. Your files have been encrypted with the “Cerber Ransomware” software; the instructions (“#DECRYPT MY FILES #.html” and “# DECRYPT MY FILES #.txt”) in the folders with your encrypted files are not viruses, they will help you. After reading this text the most part of people start searching in the Internet the words the “Cerber Ransomware” where they find a lot of ideas, recommendation and instructions. It is necessary to realise that we are the ones who closed the lock on your files and we are the only ones who have this secret key to open them.

!!! Any attempts to get back you files with the third-party tools can!!! be fatal for your encrypted files.

The most part of the tried-party software change data with the encrypted files to restore it but this cases damage to the files. Finally it will be impossible to decrypt your files. When you make a puzzle but some items are lost, broken or not put in its place - the puzzle items will never match, the same way the third-party software will ruin your files completely and irreversibly. You should realise that any intervention of the third-party software to restore files encrypted with the “Cerber Ransomware” software may be fatal for your files.

What should you do with these addresses? If you read the instructions in TXT format (if you have instructions in HTML (the file with an icon of you Internet browser) then the easiest way is to run it): 1. take a look at the first address 2. select it with the mouse cursor holding the left mouse button and moving the cursor to the right; 3. release the left mouse button and press the right one; 4. select “Copy” in the appeared menu; 5. run you Internet browser (if you do not know what it is run the Internet Explorer); 6. move the mouse cursor to the address bar of the browser (this is the place where the site address is written); 7. click the right mouse button in the field where the site address is written; 8. select the button “Insert” in the appeared menu; 9. then you will see the address appeared there; 10. press ENTER; 11. the site should be loaded; if it is not loaded repeat the same instructions with the second address and continue until the last address if falling. If for some reason the site cannot be opened check the connection to the Internet; if the site still cannot be opened take a look at the instructions on omitting the post about working with the addresses in the HTML instructions.

Additional information: You will find the instructions for restoring your files in those folders where you have encrypted files only. The instructions are made in two file formats - HTML and TXT for your convenience. Unfortunately antivirus companies cannot protect or restore your files but they can make the situation worse removing the instructions how to restore your encrypted files. The instructions are not viruses; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.

Cerber Ransomware Project is not malicious and is not intended to harm a person and his/her information data. The project is created for the sole purpose of instruction regarding information security, as well as certification of antivirus software for their suitability for data protection. Together we make the Internet a better and safer place.

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Cerber virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you need assistance removing this ransomware, give us a call 24/7:(866) 983-7844

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Reimage.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Cerber are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Cerber, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Cerber ransomware.)

I am passionate about computer security and technology. I have an experience of 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an editor for pcrisk.com since 2010. Follow me on Google+ to stay informed about the latest online security threats.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Cerber virus on your mobile device.

Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Reimage. By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use.